-----------------------------------------------
A] program termination through big error number
-----------------------------------------------

Both client and server handle a type of command (PACKET_SERVER_ERROR
and PACKET_CLIENT_ERROR) for the visualization of some pre-built errors
in the console.
The problem happens when an attacker sends an invalid big error number
(8 bit) which forces the program to terminate spontaneously through the
usage of the error() function.
The bug is exploitable only in-game so the attacker must have access to
the server: his IP must not be banned, he must know the password if it
has been set and the server must not be full.

Clients are affected by an harmless bug when they handle UDP packets.
The first 2 bytes of each UDP packet are a 16 bit number which
specifies the size of the packet.
If this value in a received packet is invalid (for example too small)
the client returns immediately to the main menu.
This bug becomes problematic when a malicious server visible in the
master server list sends invalid replies to the queries sent from the
clients which want to play online and will be no longer able to do it
due to the returning to the main menu.

The current SVN and nightly builds (pre-compiled for many platforms)
have been fixed:

http://www.openttd.org/nightly.php

These new versions (major/equal than r4531) fix also a garbage problem
which causes the termination of the server on some machines when the
attacker uses a big nickname (major than NETWORK_CLIENT_NAME_LENGTH).